KEYCLOAK-5176 Strip headers from PEM when uploading to client
This commit is contained in:
parent
19cfbbf7ff
commit
4541acc628
4 changed files with 22 additions and 6 deletions
|
@ -149,7 +149,7 @@ public final class PemUtils {
|
||||||
return Base64.decode(pem);
|
return Base64.decode(pem);
|
||||||
}
|
}
|
||||||
|
|
||||||
private static String removeBeginEnd(String pem) {
|
public static String removeBeginEnd(String pem) {
|
||||||
pem = pem.replaceAll("-----BEGIN (.*)-----", "");
|
pem = pem.replaceAll("-----BEGIN (.*)-----", "");
|
||||||
pem = pem.replaceAll("-----END (.*)----", "");
|
pem = pem.replaceAll("-----END (.*)----", "");
|
||||||
pem = pem.replaceAll("\r\n", "");
|
pem = pem.replaceAll("\r\n", "");
|
||||||
|
|
|
@ -190,6 +190,8 @@ public class ClientAttributeCertificateResource {
|
||||||
if (keystoreFormat.equals(CERTIFICATE_PEM)) {
|
if (keystoreFormat.equals(CERTIFICATE_PEM)) {
|
||||||
String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));
|
String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));
|
||||||
|
|
||||||
|
pem = PemUtils.removeBeginEnd(pem);
|
||||||
|
|
||||||
// Validate format
|
// Validate format
|
||||||
KeycloakModelUtils.getCertificate(pem);
|
KeycloakModelUtils.getCertificate(pem);
|
||||||
|
|
||||||
|
|
|
@ -165,6 +165,23 @@ public class CredentialsTest extends AbstractClientTest {
|
||||||
cert = certRsc.getKeyInfo();
|
cert = certRsc.getKeyInfo();
|
||||||
assertEquals("cert properly set", certificate2, cert.getCertificate());
|
assertEquals("cert properly set", certificate2, cert.getCertificate());
|
||||||
assertNull("privateKey nullified", cert.getPrivateKey());
|
assertNull("privateKey nullified", cert.getPrivateKey());
|
||||||
|
|
||||||
|
// Upload certificate with header - should be stored without header
|
||||||
|
form = new MultipartFormDataOutput();
|
||||||
|
form.addFormData("keystoreFormat", "Certificate PEM", MediaType.TEXT_PLAIN_TYPE);
|
||||||
|
|
||||||
|
String certificate2WithHeaders = "-----BEGIN CERTIFICATE-----\n" + certificate2 + "\n-----END CERTIFICATE-----";
|
||||||
|
|
||||||
|
form.addFormData("file", certificate2WithHeaders.getBytes(Charset.forName("ASCII")), MediaType.APPLICATION_OCTET_STREAM_TYPE);
|
||||||
|
cert = certRsc.uploadJks(form);
|
||||||
|
assertNotNull("cert not null", cert);
|
||||||
|
assertEquals("cert properly extracted", certificate2, cert.getCertificate());
|
||||||
|
assertNull("privateKey not included", cert.getPrivateKey());
|
||||||
|
|
||||||
|
// Get the certificate again - to make sure cert is set, and privateKey is null
|
||||||
|
cert = certRsc.getKeyInfo();
|
||||||
|
assertEquals("cert properly set", certificate2, cert.getCertificate());
|
||||||
|
assertNull("privateKey nullified", cert.getPrivateKey());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
|
@ -43,11 +43,7 @@ import org.keycloak.admin.client.resource.ClientResource;
|
||||||
import org.keycloak.authentication.AuthenticationFlowError;
|
import org.keycloak.authentication.AuthenticationFlowError;
|
||||||
import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
|
import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
|
||||||
import org.keycloak.common.constants.ServiceAccountConstants;
|
import org.keycloak.common.constants.ServiceAccountConstants;
|
||||||
import org.keycloak.common.util.BouncyIntegration;
|
import org.keycloak.common.util.*;
|
||||||
import org.keycloak.common.util.KeycloakUriBuilder;
|
|
||||||
import org.keycloak.common.util.KeystoreUtil;
|
|
||||||
import org.keycloak.common.util.Time;
|
|
||||||
import org.keycloak.common.util.UriUtils;
|
|
||||||
import org.keycloak.constants.ServiceUrlConstants;
|
import org.keycloak.constants.ServiceUrlConstants;
|
||||||
import org.keycloak.events.Details;
|
import org.keycloak.events.Details;
|
||||||
import org.keycloak.events.Errors;
|
import org.keycloak.events.Errors;
|
||||||
|
@ -727,6 +723,7 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
private static void assertCertificate(ClientRepresentation client, String certOld, String pem) {
|
private static void assertCertificate(ClientRepresentation client, String certOld, String pem) {
|
||||||
|
pem = PemUtils.removeBeginEnd(pem);
|
||||||
final String certNew = client.getAttributes().get(JWTClientAuthenticator.CERTIFICATE_ATTR);
|
final String certNew = client.getAttributes().get(JWTClientAuthenticator.CERTIFICATE_ATTR);
|
||||||
assertNotEquals("The old and new certificates shouldn't match", certOld, certNew);
|
assertNotEquals("The old and new certificates shouldn't match", certOld, certNew);
|
||||||
assertEquals("Certificates don't match", pem, certNew);
|
assertEquals("Certificates don't match", pem, certNew);
|
||||||
|
|
Loading…
Reference in a new issue